Checklists, Resources

Linux Privilege Escalation Checklist

Introduction

Privilege escalation is a crucial step in the penetration testing lifecycle, through this Checklist I intend to cover all the main vectors used in Linux privilege escalation, and some of my personal notes that I used in previous penetration tests.

Manual Checks

I would first suggest to get familiar with the main commands that are used to perform the various privilege escalation checks, before using automated scripts, this can be very helpful in understanding how these attacks work.

Command/ActionDescription
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp tmux screen nmap 2>/dev/nullAny useful applications installed? This might indicate the right path for privilege escalation.
sudo -lAnything that can be abused? If so we can try searching GTFO Bins. Check for environment variables. More info here.
sudo suCan we simply login as root?
id;who;whoami;w;last;cat /etc/passwd; cat /etc/sudoers;cat /etc/groupCheck information about the users on the machine. Check the groups associated to the current user (groups to check for are Wheel, Shadow, Disk and Screen, video, lxd/lcd, root and Docker). More info here.
uname -a ; lsb_release -a; cat /proc/version /etc/issue /etc/*-releaseCheck kernel version and then searchsploit linux kernel xxx. More info here.
ls -la ~/; ls -la /var/mail /home/*/ /var/spool/mail /home/*/.bash_history /varCheck for files or binaries in common directories, check for clear-text passwords in the bash history.
cat /etc/passwd ; cat /etc/shadow; ls -la /etc/passwd /etc/shadowCan we access the passwd/shadow files? If so, are there any hashes that can be cracked?
If either of them are writable, a new root user can be added to the system by creating a password hash with openssl and adding a new line to the file. More info here.
ls -la /root/.bashrc or ls -la /home/*/.bashrc; locate .bashrc; find / -name .bashrc -xdev 2>/dev/nullIs the .bashrc file writeable? If so, malicious commands can be written to it and will be executed when the user/root logs in.
Check application config filesAny hidden or config files on the system we can loot (for example /var/www/html). Any database passwords in config files? Any writeable configuration (*.conf) files used by privileged executables/scripts/processes.
ps aux | grep rootEither running as root or another user, maybe something running we can exploit. Check https://gtfobins.github.io/
find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000 2>/dev/nullFind all SUIDs on the machine. Search GTFO Bins and check for anything that stands out. More info here.
ls -la /home /root /etc/ssh; locate id_rsa; locate id_dsa; cat /home/*/.ssh/id_rsaCheck for readable private ssh keys or writable public keys (authorized_keys file). If not can we create them for another user? More info here.
find / -perm -0002 -user root 2>/dev/nullCheck for World-Writable files. Can also add grep to search for scripts that may be executed by cron jobs or at boot like .py, .php etc. for example grep “.*\.py$”
find / -type f -user stef -xdev 2>/dev/null; find / -type d -user stef -xdev 2>/dev/nullCommands that can be used to find files/directories with read/write access for the stef user and redirects errors to /dev/null.
sudo -V | grep “Sudo ver”Check sudo version and do a searchsploit sudo xxx to see if any exploit is available
netstat -antupAre there any open ports on localhost we didn’tt see with nmap? Might need tunnelling
cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logoutIs there any useful information in the main bash user files?
crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny; cat /etc/crontab; cat /etc/anacrontab; cat /var/spool/cron/crontabs/rootCheck for cron jobs – anything we have access to change or that we can exploit? If binaries are used, check if the full path is being specified, if not this can be exploited by creating a malicious binary and modifying the env path. More info here.
./pspy > pspy-out.txtUse PSPY to to see commands run by other users, cron jobs, etc. in real time as they execute.
cat /etc/fstabAre there any unmounted file-systems?
getcap -r / 2>/dev/nullCheck for files with capabilities. These may allow us to access restricted files or directories.
showmount -e X.X.X.X; mount X.X.X.X:/ /tmp/If NFS is open, check if the target has any open NFS shares, if it does, then mount it to your filesystem
ls -alh /usr/bin/ /sbin/ /var/cache/apt/archives /var/cache/yum/; dpkg -l; rpm -qaWhat applications are installed? Are they currently running? What version are they? Are they vulnerable to anything? Is there any application that stands out?
Credential re-useAny credentials found earlier that can be used in other services?
tmux ls; tmux attach -t tmuxname; screen -ls; screen-dr sessionname; byobu list-session;Any shell sessions we can hijack?
gdb -p SERVICE; gdb PROCIDSome services might save clear text credentials in memory. Run ps aux, grab the process ID and run gdb against it

Automated Checks

Once you are familiar with how the different attacks work and how to execute them, you can start using automated scripts, which will speed your your enumeration and better help you identify weaknesses

Linux Privilege Escalation checklistInformation
./linpeas.shLinPEAS is a script that searches for possible paths to escalate privileges on Unix* hosts.
./linenum.sh > linenum-output.txtA really powerful bash script that enumerates system information and misconfigurations to escalate privileges.
python linuxprivchecker.py > pychecker-out.txtExecuted locally on Linux to enumerate basic system information and search for common privilege escalation vectors.
./linux-exploit-suggester.sh > exploitsuggester-out.txtThis script is extremely useful for quickly finding privilege escalation vulnerabilities in Linux systems.
./lse.sh -l2 -iThis script will show relevant information about the security of a local Linux system, helping to escalate privileges.
./unix-privesc-check > monkey-out.txtA script for Unix systems that tries to find misconfigurations that could allow local users to escalate privileges.
python beroot.py –password super_strong_passwordBeRoot is a post exploitation tool that checks common misconfigurations on Linux and Mac OS.
./sudo_killer.sh -c -i /path/sk_offline.txtSudo Killer identifies and exploits sudo rules’ misconfigurations and vulnerabilities within sudo.
./jalescThis is similar to linenum but much cleaner and with better highlighting .

Conclusion

Privilege escalation is a topic that can often scare beginners, due to the amount of vectors and techniques that you are required to learn. However, with the above check list you should be able to deal with most situations, although don’t fully rely on checklists and automated scripts as these can often fail or miss something, but do your own research as well.